Abstract

In this paper, we inspect general digital evidence collection process which is according to RFC3227 document, and establish specific steps for guaranteeing integrity of digital evidence and memory information collection. EnCase/spl trade/ which was used globally has a weakness that MDC value of digital evidence can be modified, hence we propose MDC public system, MAC system and public authentication system with PKI as a countermeasure. And we explain detail of each system. Besides, we include memory dump process to existing digital evidence collection process, and examine privacy information through dumping real user's memory and collecting pagefile which is part of virtual memory system.